2024-08-29 11:44:06 +02:00 · 2024-08-27 13:36:41 +02:00
12 changed files with 165 additions and 22 deletions
--- a/bid_main/forms.py
+++ b/bid_main/forms.py
@ -13,11 +13,11 @@ from django.template import defaultfilters
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from django_otp.oath import TOTP
 from django_otp.plugins.otp_totp.models import TOTPDevice
 from otp_agents.views import OTPTokenForm
 from .models import User, OAuth2Application
 from .recaptcha import check_recaptcha
 from mfa.models import EncryptedTOTPDevice
 import bid_main.tasks
 log = logging.getLogger(__name__)
@ -492,7 +492,7 @@ class TotpMfaForm(forms.Form):
    )
    key = forms.CharField(widget=forms.HiddenInput)
    name = forms.CharField(
-        max_length=TOTPDevice._meta.get_field('name').max_length,
+        max_length=EncryptedTOTPDevice._meta.get_field('name').max_length,
        widget=forms.TextInput(
            attrs={"placeholder": "device name (for your convenience)"},
        ),
@ -518,7 +518,7 @@ class TotpMfaForm(forms.Form):
    def save(self):
        key = self.cleaned_data.get('key')
        name = self.cleaned_data.get('name')
-        TOTPDevice.objects.create(key=key, name=name, user=self.user)
+        EncryptedTOTPDevice.objects.create(encrypted_key=key, key='', name=name, user=self.user)
    @classmethod
    def sign(cls, user, key):
--- a/bid_main/models.py
+++ b/bid_main/models.py
@ -15,9 +15,6 @@ from django.core.mail import send_mail
 from django.db import models, transaction
 from django.db.models import Q
 from django import urls
 from django_otp import devices_for_user
 from django_otp.plugins.otp_static.models import StaticDevice
 from django_otp.plugins.otp_totp.models import TOTPDevice
 from django.templatetags.static import static
 from django.utils.deconstruct import deconstructible
 from django.utils import timezone
@ -27,6 +24,7 @@ import user_agents
 from . import fields
 from . import hashers
 from mfa.models import EncryptedRecoveryDevice, EncryptedTOTPDevice, devices_for_user
 import bid_main.file_utils
 import bid_main.utils
@ -548,9 +546,9 @@ class User(AbstractBaseUser, PermissionsMixin):
    def mfa_devices_per_category(self):
        devices_per_category = defaultdict(list)
        for device in devices_for_user(self):
-            if isinstance(device, StaticDevice):
+            if isinstance(device, EncryptedRecoveryDevice):
                devices_per_category['recovery'].append(device)
-            if isinstance(device, TOTPDevice):
+            if isinstance(device, EncryptedTOTPDevice):
                devices_per_category['totp'].append(device)
        return devices_per_category
--- a/bid_main/templates/bid_main/mfa/setup.html
+++ b/bid_main/templates/bid_main/mfa/setup.html
@ -51,7 +51,7 @@ Multi-factor Authentication Setup
  {% with recovery=devices_per_category.recovery.0 %}
  {% if recovery %}
  <div class="mb-3">
-    {% with code_count=recovery.token_set.count %}
+    {% with code_count=recovery_codes|length %}
    {{ code_count }} recovery code{{ code_count|pluralize }} remaining
    {% if recovery_codes %}
    <a href="?display_recovery_codes=" class="btn">Hide</a>
--- a/bid_main/views/mfa.py
+++ b/bid_main/views/mfa.py
@ -9,15 +9,13 @@ from django.urls import reverse, reverse_lazy
 from django.views.generic import TemplateView
 from django.views.generic.base import View
 from django.views.generic.edit import DeleteView, FormView
 from django_otp import devices_for_user
 from django_otp.models import Device
 from django_otp.plugins.otp_static.models import StaticDevice
 from django_otp.plugins.otp_totp.models import TOTPDevice, default_key
 from django_otp.util import random_hex
 import qrcode
 from . import mixins
 from bid_main.forms import DisableMfaForm, TotpMfaForm
 from mfa.models import EncryptedRecoveryDevice, EncryptedTOTPDevice, devices_for_user
 class MfaView(mixins.MfaRequiredIfConfiguredMixin, TemplateView):
@ -34,7 +32,8 @@ class MfaView(mixins.MfaRequiredIfConfiguredMixin, TemplateView):
        user_can_setup_recovery = False
        devices_per_category = user.mfa_devices_per_category()
        if self.request.GET.get('display_recovery_codes') and 'recovery' in devices_per_category:
-            recovery_codes = [t.token for t in devices_per_category['recovery'][0].token_set.all()]
+            recovery_device = devices_per_category['recovery'][0]
            recovery_codes = [t.encrypted_token for t in recovery_device.encryptedtoken_set.all()]
        if devices_per_category.keys() - {'recovery'}:
            user_can_setup_recovery = True
        return {
@ -52,7 +51,7 @@ class DisableView(mixins.MfaRequiredMixin, FormView):
    @transaction.atomic
    def form_valid(self, form):
-        for device in devices_for_user(self.request.user, confirmed=None):
+        for device in devices_for_user(self.request.user):
            device.delete()
        return super().form_valid(form)
@ -61,15 +60,17 @@ class GenerateRecoveryView(mixins.MfaRequiredIfConfiguredMixin, View):
    @transaction.atomic
    def post(self, request, *args, **kwargs):
        user = self.request.user
-        if not list(filter(lambda d: not isinstance(d, StaticDevice), devices_for_user(user))):
+        if not list(
            filter(lambda d: not isinstance(d, EncryptedRecoveryDevice), devices_for_user(user))
        ):
            # Forbid setting up recovery codes unless the user already has some other method
            return HttpResponseBadRequest("can't setup recovery codes before other methods")
        user.staticdevice_set.all().delete()
-        device = StaticDevice.objects.create(name='recovery', user=user)
+        device = EncryptedRecoveryDevice.objects.create(name='recovery', user=user)
        for _ in range(10):
            # https://pages.nist.gov/800-63-3/sp800-63b.html#5122-look-up-secret-verifiers
            # don't use less than 64 bits
-            device.token_set.create(token=random_hex(8).upper())
+            device.encryptedtoken_set.create(encrypted_token=random_hex(8).upper())
        return redirect(reverse('bid_main:mfa') + '?display_recovery_codes=1#recovery-codes')
@ -86,7 +87,7 @@ class TotpView(mixins.MfaRequiredIfConfiguredMixin, FormView):
    def get_form(self, *args, **kwargs):
        kwargs = self.get_form_kwargs()
-        key = self.request.POST.get('key', default_key())
+        key = self.request.POST.get('key', random_hex(20))
        kwargs['initial']['key'] = key
        kwargs['initial']['signature'] = TotpMfaForm.sign(kwargs['user'], key)
        return TotpMfaForm(**kwargs)
@ -101,7 +102,7 @@ class TotpView(mixins.MfaRequiredIfConfiguredMixin, FormView):
        key = context['form'].initial['key']
        b32key = b32encode(unhexlify(key)).decode('utf-8')
        context['manual_secret_key'] = b32key
-        device = TOTPDevice(key=key, user=self.request.user)
+        device = EncryptedTOTPDevice(encrypted_key=key, user=self.request.user)
        context['config_url'] = device.config_url
        image = qrcode.make(
            device.config_url,
@ -126,7 +127,7 @@ class DeleteDeviceView(mixins.MfaRequiredMixin, DeleteView):
        for device in devices_for_user(self.request.user):
            if (
                device.persistent_id != kwargs['persistent_id']
-                and not isinstance(device, StaticDevice)
+                and not isinstance(device, EncryptedRecoveryDevice)
            ):
                # there are other non-recovery devices, it's fine to delete this one
                return super().get(request, *args, **kwargs)
--- a/bid_main/views/normal_pages.py
+++ b/bid_main/views/normal_pages.py
@ -22,8 +22,6 @@ from django.views.decorators.cache import never_cache
 from django.views.generic import TemplateView, FormView
 from django.views.generic.base import View
 from django.views.generic.edit import UpdateView
 from django_otp import devices_for_user
 from otp_agents.forms import OTPTokenForm
 import loginas.utils
 import oauth2_provider.models as oauth2_models
 import otp_agents.views
--- a/blenderid/settings.py
+++ b/blenderid/settings.py
@ -36,9 +36,25 @@ PREFERRED_SCHEME = "https"
 # Update this to something unique for your machine.
 SECRET_KEY = os.getenv('SECRET_KEY', 'default-dev-secret')
 # NACL_FIELDS_KEY is used to encrypt MFA shared secrets
 # !!!!!!!!!!!!
 # !!!DANGER!!! its loss or bad rotation will lock out all users with MFA!!!
 # !!!!!!!!!!!!
 # generate a prod key with ./manage.py createkey
 # and put it as a string in the .env file,
 # .encode('ascii') takes care of making the variable populated with a byte array
 NACL_FIELDS_KEY = os.getenv(
    'NACL_FIELDS_KEY', 'N5W|iA&lZ7iGsy92=qlr>~heUoH4ZX16pCEGG*R+'
 ).encode('ascii')
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = bool(os.getenv('DEBUG', False))
 if not DEBUG and NACL_FIELDS_KEY == b'N5W|iA&lZ7iGsy92=qlr>~heUoH4ZX16pCEGG*R+':
    raise Exception('please override NACL_FIELDS_KEY in .env')
 if not DEBUG and SECRET_KEY == 'default-dev-secret':
    raise Exception('please override SECRET_KEY in .env')
 TESTING = sys.argv[1:2] == ['test']
 ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS', 'id.local').split(',')
@ -65,10 +81,12 @@ INSTALLED_APPS = [
    "sorl.thumbnail",
    "django_admin_select2",
    "loginas",
    "nacl_encrypted_fields",
    "bid_main",
    "bid_api",
    "bid_addon_support",
    "background_task",
    "mfa",
 ]
 MIDDLEWARE = [
--- a/mfa/init.py
+++ b/mfa/init.py
--- a/mfa/apps.py
+++ b/mfa/apps.py
@ -0,0 +1,6 @@
 from django.apps import AppConfig
 class MfaConfig(AppConfig):
    default_auto_field = 'django.db.models.BigAutoField'
    name = "mfa"
--- a/mfa/migrations/0001_initial.py
+++ b/mfa/migrations/0001_initial.py
@ -0,0 +1,70 @@
 # Generated by Django 4.2.13 on 2024-08-13 11:33
 from django.db import migrations, models
 import django.db.models.deletion
 import nacl_encrypted_fields.fields
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ('otp_static', '0003_add_timestamps'),
        ('otp_totp', '0003_add_timestamps'),
    ]
    operations = [
        migrations.CreateModel(
            name='EncryptedTOTPDevice',
            fields=[
                (
                    'totpdevice_ptr',
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to='otp_totp.totpdevice',
                    ),
                ),
                ('encrypted_key', nacl_encrypted_fields.fields.NaClCharField(max_length=255)),
            ],
            options={
                'abstract': False,
            },
            bases=('otp_totp.totpdevice',),
        ),
        migrations.CreateModel(
            name='EncryptedRecoveryDevice',
            fields=[],
            options={
                'abstract': False,
                'proxy': True,
                'indexes': [],
                'constraints': [],
            },
            bases=('otp_static.staticdevice',),
        ),
        migrations.CreateModel(
            name='EncryptedStaticToken',
            fields=[
                (
                    'id',
                    models.BigAutoField(
                        auto_created=True, primary_key=True, serialize=False, verbose_name='ID'
                    ),
                ),
                ('encrypted_token', nacl_encrypted_fields.fields.NaClCharField(max_length=255)),
                (
                    'device',
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE,
                        related_name='encryptedtoken_set',
                        to='mfa.encryptedrecoverydevice',
                    ),
                ),
            ],
        ),
    ]
--- a/mfa/migrations/init.py
+++ b/mfa/migrations/init.py
--- a/mfa/models.py
+++ b/mfa/models.py
@ -0,0 +1,50 @@
 from binascii import unhexlify
 from django.db import models
 from django_otp.plugins.otp_static.models import StaticDevice
 from django_otp.plugins.otp_totp.models import TOTPDevice
 from nacl_encrypted_fields.fields import NaClCharField
 class EncryptedRecoveryDevice(StaticDevice):
    class Meta(StaticDevice.Meta):
        abstract = False
        proxy = True
    def verify_token(self, token):
        verify_allowed, _ = self.verify_is_allowed()
        if verify_allowed:
            match = self.encryptedtoken_set.filter(encrypted_token=token).first()
            if match is not None:
                match.delete()
                self.throttle_reset(commit=False)
                self.set_last_used_timestamp(commit=False)
                self.save()
            else:
                self.throttle_increment()
        else:
            match = None
        return match is not None
 class EncryptedStaticToken(models.Model):
    device = models.ForeignKey(
        EncryptedRecoveryDevice, related_name='encryptedtoken_set', on_delete=models.CASCADE
    )
    encrypted_token = NaClCharField(max_length=255)
 class EncryptedTOTPDevice(TOTPDevice):
    encrypted_key = NaClCharField(max_length=255)
    @property
    def bin_key(self):
        return unhexlify(self.encrypted_key.encode())
 def devices_for_user(user):
    return [
        *EncryptedRecoveryDevice.objects.filter(user=user).all(),
        *EncryptedTOTPDevice.objects.filter(user=user).all(),
    ]
--- a/requirements.txt
+++ b/requirements.txt
@ -15,6 +15,7 @@ django-background-tasks-updated @ git+https://projects.blender.org/infrastructur
 django[bcrypt]==4.2.13 ; python_version >= "3.8" and python_version < "4"
 django-compat==1.0.15 ; python_version >= "3.8" and python_version < "4"
 django-loginas==0.3.11 ; python_version >= "3.8" and python_version < "4"
 django-nacl-fields==4.1.0
 django-oauth-toolkit @ git+https://projects.blender.org/Oleg-Komarov/django-oauth-toolkit.git@0b056a99ca943771615b859f48aaff0e12357f22 ; python_version >= "3.8" and python_version < "4"
 django-otp==1.5.1
 django-otp-agents==1.0.1
@ -41,6 +42,7 @@ pycparser==2.19 ; python_version >= "3.8" and python_version < "4"
 pygments==2.17.2 ; python_version >= "3.8" and python_version < "4"
 pyinstrument==4.6.0 ; python_version >= "3.8" and python_version < "4"
 pymdown-extensions==10.7 ; python_version >= "3.8" and python_version < "4"
 pynacl==1.5.0
 pypng==0.20220715.0
 pypugjs==5.9.12 ; python_version >= "3.8" and python_version < "4"
 python-dateutil==2.8.1 ; python_version >= "3.8" and python_version < "4"